We are trying to implement Radius Authentication and Accounting in our network. We use Public IP’s and DHCP to assign them to our customers, while DHCP can use Radius for Authentication it does not support Accounting.
Therefore, we tried implementing HotSpot to implement accounting. Setup as follows:
Public IP assigned to interface (VLAN_200) facing cutomers
DHCP relay to a cetralized DHCP server. Each Customer gets a public IP.
Setup HotSpot on VLAN_200 with no NAT, MAC Authentication using Radius
Setup IP Pool with same range as DHCP
This almost works.
HotSpot Authenticates MAC Against Radius.
Radius returns Mikrotik_Rate_Limit
Simple Queue is dynamically setup
HotSpot Hosts Tab shows the MAC Address, IP Address and To Address
HotSpot Active Tab shows the User(MAC Address) IP address, Uptime, Session Time
The user is able to access Internet. All looks good.
One Problem, the HotSpot is able to see IP address’s inside VPN’s that our customers may be running.
HotSpot then adds these IP address’s (private IP’s) to the Hosts tab and uses one of the Pool Ip’s as the To Address.
From my point of view, there should be no reason for the HotSpot to see inside of VPN Tunnels.
Is there any way to prevent this?
Our Mikrotik Router is a Cloud Core 1036-12G-4S with RouterOS 6.5
Thanks in Advance;
Terry